Rootkit-based Exploits Could Eavesdrop Smartphones

Computer scientists at Rutgers University this week are demonstrating ways that rootkits can attack new generations of smart mobile phones. The researchers, who are presenting their findings at a mobile computing workshop in Maryland, are showing how a rootkit could cause a smartphone to eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless — all without the user’s knowledge.

Rootkit attacks on smartphones — or upcoming tablet computers — could be more devastating because smartphone owners tend to carry their phones with them all of the time, the researchers say. This creates opportunities for potential attackers to eavesdrop, extract personal information from phone directories, or just pinpoint a user’s whereabouts by querying the phone’s GPS receiver. Smartphones also have new ways for malware to enter the system, such as through a Bluetooth radio channel or via text message.

In one test, the researchers showed how a rootkit could turn on a phone’s microphone without the owner knowing it happened. In such a case, an attacker would send an invisible text message to the infected phone, telling it to place a call and turn on the microphone, such as when the phone’s owner is in a meeting and the attacker wants to eavesdrop.

In another test, they demonstrated a rootkit that responds to a text query for the phone’s location as furnished by its GPS receiver. This would enable an attacker to track the owner’s whereabouts.

In a third test, the researchers showed a rootkit turning on power-hungry capabilities — such as the Bluetooth radio and GPS receiver — to quickly drain the battery.

The researchers are careful to note they did not assess the vulnerability of specific types of smartphones. They did their work on a phone used primarily by software developers versus commercial phone users. Working within a legitimate software development environment, they deliberately inserted rootkit malware into the phone to study its potential effects.

The research was supported by the National Science Foundation and the U.S. Army.

Full report here.

Skeletons in Adobe's security closet

How many of you out there, perform a computer restart when you are prompted to do so after a software installation or update (unless forced to)? Well, if you're guilty of not doing so, you may seriously want to consider doing so from now onwards.

Some findings revealed:

"While it is true that the Adobe Download Manager is removed upon computer restart, the user, who has just updated their Adobe product (usually without the requirement to restart the computer after the update), is still exposed to forced automatic installation until they restart their computer."

"On the same day I published my last blog post, I found yet another issue — a remote code execution flaw in the Adobe Download Manager. Basically, what I found is that an attacker can force an automatic download and installation of ANY executable he desires. So, if you go to Adobe’s website to install a security update for Flash, you really expose yourself to a zero-day attack."

Full report here.

How to Alert Connections of a Social Network Hack

Twitter has rapidly become one of the most popular social media and microblogging services on the internet. Unfortunately, in the Web world, popularity often leads to increased security concerns. Twitter has also become a popular tool with cyber criminals, who are increasingly using it as a vessel to spread malware.

This past weekend, Twitter users were hit with a phishing scam that caught many off guard. (Attacks on social networks tripled in 2009, read more here)The innocuous sounding message included a link that, if clicked, led to a spoofed Twitter login page. Anyone who logged in via that page would have had their Twitter account credentials stolen. Those victims then had the same message tweeted out to their contacts, thus causing exponential spread of the phishing attack. The messages sent were similar to the following:

Lol , this is funny Lol. this is me?? Lol. this you??

So what should you do if you fall victim to a phishing scam turned social network worm? Be a friend and alert your contacts that messages posted are not actually from you. In general, the ABCs of proper etiquette after a normal social networking scam are:

• Acknowledge the attack to anyone who might have been adversely impacted; Be detailed: Tell them what message they might have received as a result of the malware/phishing and what might have happened as a result; Caution your contacts: Use this as an opportunity to remind everyone that just because they think a message comes from someone they know, there really is no way of telling for sure. If they ever do click a link that then leads to a login page or to a video codec install, they should close the page immediately and contact their friend via some other method to inquire (and possibly alert them) about the seemingly malicious link.

• When Twitter accounts are phished, the 140 character limitation makes it a bit harder to convey the message. Using as few words as possible, try to include enough details about the message sent so folks can identify it, ended with a brief "I'm sorry". Don't ever include a link in that apology; after all, it was clicking on a link that got folks in trouble in the first place.

• This brings up another point. Instead of typing very brief generic messages when sending legitimate links, get in the habit of including some identifying info so that the recipient can tell that the human you really did intend to send it. For example, instead of sending "Check out this funny video", always include more specifics like, "Funny video! Reminds me of that crazy guy we saw on the beach in the Bahamas." If enough folks adopted this habit, it would become much easier to distinguish the really generic messages as being likely phishing/malware attacks.

Read about some of most common ways users get taken on social networks in 5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid

Imminent flood of smartphone malware?

As this year's Mobile World Congress held in Barcelona, Spain, is coming to an end, a few important players in the security industry shared their thoughts about the future development of and threats looming over the mobile industry and users.

Eugene Kaspersky says that it took more than 20 years for computer viruses to become a money-making industry, but that he expects it will take much less time when it comes to the mobile market. "This year and next year we expect to see the industrialization of smartphone malware."

Mikko Hyppönen of F-Secure says that nobody can predict when the first worldwide outbreak of a mobile worm of virus will hit. "We have been able to delay it by more than five years, at least," he says.

The Sydney Morning Herald reports that for the time being, F-Secure detected only 430 worms for mobile platforms in the last six years, which isn't such a huge number when you compare it with the number of computer worms. The same can be said about password-stealing Trojans and viruses.

Hyppönen thinks the situation is such because the first malware on every new platform is always created by hobbyists - as a challenge and a method to show off their skills. When money-making opportunities begin to rise, the "real" criminals enter the arena.

Kaspersky thinks that that day is coming soon, because mobile banking is on the rise.

Adam Leach of Ovum has a more positive vision of the future, since the companies have, so far, found ways to minimize the threat. But he doesn't think that is a reason to be complacent - quite the contrary. Staying vigilant and taking the threat seriously will help with its mitigation.

Google Attack Traced To Chinese Schools

The physical sources of the online attacks that targeted Google, Yahoo, Adobe, and many other organizations have been fairly well pinpointed, according to a new report. The supposed starting points: computers at two Chinese schools - Shanghai Jiaotong University and the Lanxiang Vocational School. This information comes courtesy of John Markoff and David Barboza (along with their unnamed sources).

This seems to have been determined with a high degree of certainty. Unfortunately, it remains unknown who was behind the attacks, and individuals, companies, and governments all remain under suspicion.

According to The New York Times, the first is home to one of the top computer science programs in China, whose superiority was witnessed a couple of weeks ago when they came first in the IBM-sponsored "Battle of the Brains", beating 102 other teams from around the world, including the US champions - the team from Stanford University.

The second is endorsed by the military, since it is one of the schools from which future army computer scientists are trained. It is also worth mentioning that this school's network is managed by company closely connected to China's most popular search engine Baidu.

And while the involvement of students of the vocational school is suspected to come from a particular computer science class led by a Ukrainian professor - on whose existence and/or activity the school has refused to comment, a professor teaching Web security at Jiaotong University admits he is not surprised at the news. "Actually students hacking into foreign Web sites is quite normal,” he says.

Proving whether behind the intrusions are individuals that were only "experimenting" or were actually working under the orders of the Chinese government or military will be very difficult, if not impossible.

Microsoft Investigating Possible Breach Of Windows Live ID

Flaw might have enabled some users to see into other users' accounts, Microsoft say.

Microsoft is looking into some reported problems with its Windows Live ID service, which supposedly showed some users the wrong accounts when they tried to access Hotmail and other services.

According to news reports, Microsoft is saying that a "limited number" of customers were able to gain access to other users' accounts via Windows Live ID.

The breach occurred when users were trying to get into their own accounts using a mobile-phone Web browser, the company said in a statement.

"Microsoft takes customers' privacy seriously, and immediately upon learning of these reports, we started an investigation," the statement says. "We will take appropriate action once we have completed the investigation."

According to the reports, the Windows Live ID service experienced a short outage around the same time users reported seeing other users' accounts. Microsoft's statement says the company has not determined whether the outage and the user reports are related.

More than 460 million users have online IDs that work with the Windows Live ID system, including users of the popular Hotmail service, according to Microsoft's Web site.

Facebook users targeted by fake AV

Facebook users are once again in danger of getting their computers compromised as a new spamming campaign urging them to update their account agreement is currently under way.

Panda Labs has already received 16,000 emails since yesterday, and that is probably just the tip of the iceberg.

This is what the e-mail looks like:

It tries to scare the users into downloading the attached agreement.zip, saying that if they don't update their account agreement, their account will be restricted.

If you do as you're told, and you unzip and run the executable, you'll become the owner of your very own rogue AV solution by the name SecurityTool.

Apart from displaying constant warnings about your computer being infected, SecurityTool will also restart it, prevent the running of .exe files and leave the screen blue so that you can't work with it.

This last claim seems unlikely to me. Presumably, it allows you to pay for the solution? If it doesn't, what's in it for the authors?

In any case, Facebook users should do well to remember that any such changes or updates are never sent by mail but published in their personal account.

Spammers Make Situation Iffier For Google Buzz

Websense wrote in a blog post, "Today we saw the first spam using Google Buzz to spread a message about smoking . . . . The spammer is already following 237 people, and we can only imagine that he or she has sent similar messages to all of them. This particular message leads to a site hosted on a free Web hosting service talking about how to quit smoking."

That's not good for all the traditional reasons people don't like spam, of course. Then there's a more specific way in which this could pose a problem for Google.

Given that Google Buzz was already struggling on the PR front (all sorts of privacy issues cropped up since Google sort of sprung the feature on Gmail users without their permission), spammers could do its reputation serious harm. Think of it this way: a cool new technology with some bugs might be found acceptable . . . a new way for spammers to reach people doesn't stand much of a chance.

Google's very much in damage control mode at the moment, so we'll give this a while to see how things shake out.

Meanwhile if you're still paranoid about the whole Buzzy situation, you can still choose to Buzz Off (disable Google Buzz). Just follow the steps listed here.

Security updates for Adobe Reader and Acrobat

A critical vulnerability has been identified in Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh.

This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Users can utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.

Various Olympics Related Dangerous Google Searches

2010 marks the year for Winter Olympics @ Vancouver. We have received reports about the (sadly expected by now) search engine poisoning for various Olympics related terms.

For example the name of the killed Georgian luge athlete is used to redirect unsuspecting users to fake anti virus and other malicious content. The redirect is browser dependent. Firefox is usually redirected to "qooglesearch.com" (note the 'q' as first letter instead of a 'g').

It is probably advisable to watch out for DNS requests for this domain to spot possible infections. Internet explorer is redirected to a wide range of different domains which apparently are picked at random.

Take a look at the following video to gain a better understanding how the attack works:

Adobe pushes out Flash security fix

Adobe has published a cross-platform update for Flash that addresses a potentially serious security flaw.

Flash Player users are advised to upgrade to version 10.0.45.2 to plug a hole in earlier versions of the software that means the domain sandbox security protection could be bypassed to make unauthorized cross-domain requests.

The two-part fix means surfers also need to upgrade to Adobe AIR version 1.5.3.1930, as explained in Adobe's bulletin here.

The cross-platform update applies to Windows, Mac and Linux versions of the software.

In related news, Adobe promised relief from a critical vulnerability in Acrobat and Reader with a patch due to arrive next Tuesday, 16 February. This fix is related to the Flash problem which is why Adobe is releasing an update outside its recently announced quarterly patch cycle.

Flaws in Adobe software, second only to Microsoft, have been exploited in numerous targeted hacker attack over recent months, prompting some security watchers to advise users to consider the use of alternative PDF readers. Adobe is beginning to get to grips with the problem but its patching process often remains cumbersome and fiddly.

A Perfect Valentine’s Day

As in past years, Internet users can expect to see numerous emails this weekend with links to malicious downloads, which often have subject lines related to Valentine's Day. In 2010 cybercriminals are also exploiting social networking sites such as Facebook and Twitter.

Social engineering remains cybercriminals preferred technique for deceiving users. In these cases, cybercriminals obtain confidential information from users by convincing them to take a series of actions. They use a carefully selected social engineering tactic to convince users to hand over their data or install a malicious program, which captures information and sends it to fraudsters.

Planning a romantic Valentine’s Day for your loved one? There is seemingly no end to what you can do to add even more sparkle to this "dreamy" day. Perhaps a bottle of wine, flowers, or a lovely gift to impress him/her—and if you aren’t with anyone, there are even dating services available that provide you with options to meet a date!

Valentine’s Day is a great target. We’ve observed several spam email message styles related to this upcoming event. Gift options, flower delivery, dating service, med spam to spice up your relationship, and much more.

Read on to see the common header lines that Symantec has tracked relating to Valentine’s Day so far.

Meanwhile, some practical tips on hand:

*Don't open e-mails or messages received on social networks from unknown senders.

*Do not click any links included in e-mail messages, even if they come from reliable sources. This rule applies to messages received through any mail client, as well as those in Facebook, Twitter, or other social networks or messaging applications.

*If you do click on any such links, take a close look at the page you arrive at. If you don't recognize it, close your browser.

*Do not run attached files that come from unknown sources. Stay on the alert for files that claim to be Valentine's Day greeting cards, romantic videos or another related propaganda.

Twitter, Google and Hi5 being abused in Prolaco worm distribution

Twitter, Google and the social networking site Hi5 are being abused in an email campaign to distribute the Prolaco worm.

27 out of the 41 AV engines detect the Prolaco worm at the time of article published.

Read more here.